- hosts: certbot.machine.tld
  roles:
    - certbot
  vars:
    certbot_mail_address: mail@example.com
    certbot_domains:
      - primary.my.tld
      - another.my.tld
    certbot_post_renewal_script: |
      scp /etc/letsencrypt/live/primary.my.tld/fullchain.pem remote:/etc/certdest